The invention relates generally to computer systems and deals more particularly with a system and method for determining which resources a user can access.
In many computing systems, there is a need to determine whether a user who is requesting information or some other resource is allowed to access the resource. A common technique to determine whether the user is allowed to access the resource involves authentication and authorization. Authentication is the process of determining whether the requesting user is, in fact, the user that has been represented by the user. This is typically done by comparing the ID and password submitted by the user to entries in an authentication table to determine if they match. The ID submitted by the user can be an ID associated with the user as an individual or an ID associated with a group in which the user is a member. Authorization is the process of determining whether the authenticated user or group has been granted access (i.e. has been authorized) to access the resource that has been requested. The authorization system indicates which resources each individual user is permitted to access and which resources each group is permitted to access. These authorizations may have been assigned previously by a system administrator to control access to sensitive or restricted resources. It is common for authentication and authorization to be handled as separate steps, although in most cases the authentication system is closely tied to the authorization system.
Some times, the same user has different user IDs or can gain access through a group ID for a group in which the user is a member. Each different user ID can be permitted to access different resources. For example, Mr. Jones as an individual can be granted access to resource X via one user ID and Mr. Jones as an individual can be granted access to resource Y via a different user ID. Also, Mr. Jones as part of a group can be granted access to resources Z via another group ID. Thus, the resources that a given user is permitted to access depends on what ID the user submits with his or her request. While such a technique is effective in controlling access to sensitive or restricted resources, a single person may need to make multiple requests with multiple IDs to access all the resources that the person is permitted to access.
Accordingly, an object of the present invention is to simplify the authorization process for a user to access different resources where the user has or can use more than one ID and each ID alone is not granted authority to access all of these resources.